restricting rsync over ssh

J.K.Wight at J.K.Wight at
Fri Jun 7 08:44:03 EST 2002

Dave Dykstra writes:
> On Wed, May 22, 2002 at 02:39:00PM -0700, Mike Rubel wrote:
> > This brings up an interesting question.  Does anyone use the server
> > version of rsyncd with an ssh tunnel?  In other words:
> >
> > On the server, bring up sshd listening on *:22, and rsyncd accepting
> > connections from localhost only, port 873.
> >
> > Then, on the client machine, set up an ssh tunnel:
> >
> > ssh server -L 1873:server:873
> >
> > (I just picked 1873 for convenience; you could use any open
> > user-accessible port).
> >
> > Then rsync to localhost:1873, letting ssh carry the connection over the
> > tunnel to the server:
> >
> > rsync rsync://user@localhost:1873/path/to/source dest
> > Does anyone use this approach?  Are there any advantages/disadvantages?
> I didn't see any respones to your message so I guess it isn't very widely
> done.  I haven't tried it but I don't see why it wouldn't work.  You could
> probably use "hosts allow = localhost" to disallow people from using port
> 873 directly.

Somewhat belatedly, I can report that I use rysnc in daemon mode in
conjunction with an SSH tunnel, but using remote port forwarding. I
use the method to distribute password and shadow files.

On the server, SSH is needed for other purposes, so its daemon runs
all the time, but the rsync daemon only ever runs for as long as it
takes to serve all of the clients once. I restrict access to the
module through a secrets file and change the password for every
client, using some random data out of /proc. From a regular cron job,
the server starts the rsync daemon, contacts each client in turn using
a passphraseles key, specifying remote port forwarding, and passing
the password to SSH on standard input; the rsync daemon is shut down
once every client has been dealt with. The clients have a forced
command for the key in their authorized_keys files which extracts the
password from standard output into a file and runs:

    rsync --password-file <that file> localhost::module DEST


More information about the rsync mailing list